Therefore, the real question is, How can I monitor who is currently logged on to my domain's servers? In Win2K, the only native way to monitor logons is to open the MMC Computer Management snap-in, then click System Tools, Shared Folders, Sessions. In the Sessions folder, you see all the users currently connected to the server over the network, including not only users connected to shared folders but users connected to any other Win2K resources (e.g., the event log, the registry). However, as you can see when you look in the Sessions folder, which Figure 2 shows, the Computer Management snap-in shows you only one server at a time. You have other options, however. You could create your own custom MMC that contains multiple instances of the Computer Management snap-in, with each instance focused on a different server. You could even adapt MMC to display only the Sessions portion of the Computer Management snap-in for each server. To learn more about creating custom MMCs, see "Creating a Custom Password-Reset MMC," http://www.WindowsITsecurity.com, InstantDoc 9189. You might also consider using Net Watch, a tool in the Microsoft Windows NT Server 4.0 Resource Kit. As Figure 3 shows, Net Watch displays a list of all the users currently connected to the local server. You can add as many other servers as you like.
By default, Win2K and NT display a password-expiration notification 14 days before expiration and—until you change your password—every time you log on thereafter. How can I change the 14-day notification to a 3-day notification?
You need to set the value of the PasswordExpiryWarning of type REG_DWORD entry under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry subkey to 3 (for the number of days of warning). You must make the change on every computer in the domain, which can be laborious. Two options for automating the task exist, however.
One option is to use a Group Policy Object (GPO) linked to the domain's root to change the value. In the GPO, create a new template under \computer configuration\administrative templates. An administrative template is simply a set of registry settings defined in the .adm file format. Documentation about writing custom .adm files is scarce, but you can look at an .adm file that comes with Win2K and adapt it. To adapt an .adm file, edit (i.e., open) any GPO, click Computer Configuration, right-click Administrative Templates, select Add/Remove Templates, then click Add. Win2K lists the current .adm files in the \%systemroot%\inf folder. Make a copy of one of these files, then adapt it to your needs.
The other option is to use the Reg tool that comes with the Win2K Support Tools. Reg is a command-line program that lets you use a batch file to add registry values. Simply create a batch file that uses Reg to add the PasswordExpiryWarning entry, set the value to 3, then include the batch file in your users' standard logon script. Or, you can use the Startup Scripts section of a GPO. For more information about startup scripts, see "Updating Service Packs and Hotfixes with Boot Scripts," http://www.WindowsITsecurity.com, InstantDoc ID 15953.
To keep my systems up-to-date with the security patches, I want to deploy SP1 on my Win2K machines automatically with the Microsoft installer package that you describe in your article "Windows 2000 Installer Package for Service Pack 1," http://www.WindowsITsecurity.com, InstantDoc ID 16480. But I've encountered a problem because Symantec's Norton AntiVirus is on all the machines. My tests show that I must stop all the Norton AntiVirus services to install SP1 correctly. What's the best way to perform this task?
Instead of using Win2K Installer to deploy SP1, you could deploy SP1 with a startup or shutdown script in the \windows settings\scripts section of a GPO. Your startup script would disable Norton AntiVirus, install SP1, then reenable Norton AntiVirus. You can use the Net command to stop and start services. The script needs to include logic to prevent the batch file from reinstalling the service pack every time you start the system. Listing 1 shows a sample startup script you can use.
The script in Listing 1 first checks to see whether the SP1HasBeenInstalled folder exists. If the folder exists, the script terminates. If the folder doesn't exist, the script stops the Antivirus Auto-Protect service, then runs sp1network.exe, the SP1 installation program. The q and z switches cause the service pack to install without asking questions or rebooting. In your script, you need to replace \\fileserver\sp1 with the path to a folder on your network that contains sp1network.exe (which you can download from http://www.microsoft.com/windows2000/downloads/recommended/sp1). Upon successful installation, the script creates the SP1HasBeenInstalled folder and uses the Win2K resource kit's shutdown tool to reboot, which is necessary after service pack installation. For a more sophisticated example of startup scripts, see "Updating Service Packs and Hotfixes with Boot Scripts," http://www.WindowsITsecurity.com, InstantDoc ID 15953.
I want to use Win2K Installer to deploy SP1 to my Win2K machines automatically , but users who log on remotely with a VPN connection would potentially have to wait hours for the service pack to download. How can I defer installing the software until users log on with a fast local connection?
To defer processing of certain areas of Group Policy when users are communicating with a slow network connection, open the Active Directory Users and Computers snap-in, then edit a GPO to view the policies under \computer configuration\administrative templates\system\group policy. In the Software Installation policy processing Properties dialog box, which Figure 4 shows, double-click Software Installation policy processing to open the Group Policy window that Figure 5 shows. Enable the policy, then make sure that the Allow processing across a slow network connection check box is clear. Next, in the same Group Policy window, select Group Policy slow link detection and ensure that it's enabled. Make sure that the connection speed is set low enough (the default is 500Kbps) that Win2K will recognize when a user is using the VPN to log on and thus defer installing software until the user logs on from a fast local connection. If you install SP1 with a startup script (as I describe in the preceding question), you can use the Scripts policy processing policy to defer processing of startup scripts when communicating with a slow network connection.
End of Article
Prev. page
1
[2]
next page -->
